PURPOSE:

The University takes seriously its commitment to protect the confidentiality of data necessary to the University’s academic, research and administrative missions and to protect personally identifiable information entrusted to its care, consistent with law, policy and industry practice.

The purpose of this Policy is to establish the categories of sensitivity that apply to data processed, stored or transmitted within the University and its systems. The categories also apply equally to data processed, stored or transmitted on behalf of the University by third party providers. Contracts with third party providers must reflect categorization requirements as established by this Policy. The categorization system applies equally to electronic and hard copy media.

SCOPE:

This Policy is applicable for all University locations, and applies to all institutional data and the systems that process, store or transmit such data, including personally owned systems.

POLICY:

Data Categories:

Three categories of sensitivity shall exist with regard to data used within the University. These are Public, Internal/Controlled and Restricted. The following definitions apply:

Public: Public data are intended for distribution to the general public, both internal and external to the University. The release of the data would have no or minimal damage to the institution.

Internal/Controlled: Internal/controlled data is intended for distribution within the University only, generally to defined subsets of the user population. The release of the data has the potential to create moderate damage to the institution. (Such damage may be legal, academic [loss or alteration of intellectual property] financial, or intangible [loss of reputation]).

Restricted: Restricted data are those which the University has legal, regulatory, policy or contractual obligations to protect. Access to restricted data must be strictly and individually controlled and logged. The release of such data has the potential to create major damage to the institution. (Such damage may be legal, academic [loss or alteration of intellectual property], financial, or intangible [loss of reputation]).

A list of sample data falling into each of the categories is provided in Guideline ADG07.

Data Categorized by External Originator:

There are data whose categorization and handling are mandated by a data originator external to the University. Processes and protections for such data must be in accordance with the specific constraints provided by the originator in permitting the University or unit to use the data in whole or in part. In such cases, the originator's requirements must be followed beyond the categorization requirements given above.

Responsibilities:

Deans, Administrative Officers and Budget Executives:

are responsible for establishing processes within their units to identify systems or physical areas that deal with data in the categories established above.

will appoint a liaison to work with Security Operations and Services, the Privacy Office and Risk Management to identify the most critical assets (Restricted and Internal/Controlled) and to ensure appropriate safeguards exist for protection of such data. Appropriate safeguards are defined in Administrative Guideline ADG02.

along with their appointed liaisons, will further ensure that appropriate safeguards have been applied for systems that deal only with public data to help protect against the misuse or misappropriation of such assets.

in coordination with Security Operations and Services, the Privacy Office and Risk Management, will educate employees in their areas annually with regard to data categorization and appropriate use.

Where appropriate, the Privacy Office, Risk Management and Purchasing will ensure that third party contracts include data categorization requirements.

Users will be responsible for identifying the categories of information with which they deal and the systems or physical areas containing such data. Such identification will be in accordance with unit-established processes as managed by the unit liaison. Once identified, users will be responsible for protecting this information, in accordance with the parameters of this policy.

Sanctions for Policy Violations:

Any faculty, staff member or student who willfully or negligently releases internal/controlled or restricted information without authorization may be subject to disciplinary action up to and including expulsion for students or termination for employees.

Any faculty or staff member or student who willfully or negligently fails to categorize assets under his/her control correctly and to apply appropriate safeguards may be subject to disciplinary action up to and including termination.

Categorization Appeal Process:

Exceptions to the requirement to categorize data, or to the specific category assigned to a particular data type, must be approved by:

the respective Dean, Administrative Officer or Budget Executive;

the Senior Director of Security Operations and Services;

the Chief Privacy Officer, and

the Data Steward of the data in question.

FURTHER INFORMATION:

For questions, additional detail, or to request changes to this policy, please contact Security Operations and Services.

April 22, 2014 - Editorial change in the "Responsibilities" section, second bullet; addition of verbiage pointing readers to Administrative Guideline ADG02, where appropriate safeguards are listed for the proper protection of data.

Revision History (and effective dates):

January 29, 2014 - Editorial change in the POLICY section to reflect reorganization of Risk Management and Privacy Office as separate offices. Additionally, policy steward information has been added, in the event that there are questions or requests for changes to the policy.